def make_certificate( ca_crt_path = 'ca.crt', ca_key_path = 'ca.key', server_crt_path = 'server.crt', server_key_path = 'server.key', vars=None): # make the certificat of CA # need passphrase ? ca_key = PKey() ca_key.generate_key(TYPE_RSA, 1024) dump_write(dump_privatekey(FILETYPE_PEM, ca_key), ca_key_path) # MAKE THE CA SELF-SIGNED CERTIFICATE cert = X509() sub = cert.get_subject() set_x509_ca(sub, vars=vars) #FORMAT : YYYYMMDDhhmmssZ after = '20200101000000Z' before = '20090101000000Z' cert.set_notAfter(after) cert.set_notBefore(before) cert.set_serial_number(1) cert.set_pubkey(ca_key) cert.set_issuer(cert.get_subject()) cert.sign(ca_key,"MD5") dump_write(dump_certificate(FILETYPE_PEM, cert), ca_crt_path) print "Generated CA certificate in %s" % ca_crt_path # MAKE THE SERVER CERTIFICATE s_key = PKey() s_key.generate_key(TYPE_RSA, 1024) dump_write(dump_privatekey(FILETYPE_PEM, s_key), server_key_path) s_cert = X509() s_sub = s_cert.get_subject() set_x509_serv(s_sub, vars=vars) #FORMAT : YYYYMMDDhhmmssZ after = '20200101000000Z' before = '20090101000000Z' s_cert.set_notAfter(after) s_cert.set_notBefore(before) s_cert.set_serial_number(2) s_cert.set_pubkey(s_key) s_cert.set_issuer(cert.get_subject()) s_cert.sign(ca_key,"MD5") dump_write(dump_certificate(FILETYPE_PEM, s_cert), server_crt_path) print "Generated Server certificate in %s" % server_crt_path for p in [ca_key_path, server_key_path]: os.chmod(p, 0600)
def __getitem__(self, cn): cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not os.path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(self.filetype, key)) f.write(dump_certificate(self.filetype, cert)) return cnp
def _generate_ca(self): # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'Namecoin .bit proxy' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(self.filetype, self.key)) f.write(dump_certificate(self.filetype, self.cert)) # export for Windows with open("ca.crt", 'wb+') as f: f.write(dump_certificate(self.filetype, self.cert))
def __getitem__(self, cn): cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # Crea Key key = PKey() key.generate_key(TYPE_RSA, 2048) # Crea CSR # revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Firmar CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def __getitem__(self, cn): ''' Gets the specified Certificate authority file if it already exists, else creates one! ''' cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def _validate_dependencies_met(): """ Verifies that PyOpenSSL's package-level dependencies have been met. Throws `ImportError` if they are not met. """ # Method added in `cryptography==1.1`; not available in older versions from cryptography.x509.extensions import Extensions if getattr(Extensions, "get_extension_for_class", None) is None: raise ImportError( "'cryptography' module missing required functionality. " "Try upgrading to v1.3.4 or newer.") # pyOpenSSL 0.14 and above use cryptography for OpenSSL bindings. The _x509 # attribute is only present on those versions. from OpenSSL.crypto import X509 x509 = X509() if getattr(x509, "_x509", None) is None: raise ImportError("'pyOpenSSL' module missing required functionality. " "Try upgrading to v0.14 or newer.")
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool: if certname and keyname and _dir: if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force: return True else: if path.exists(_dir+certname): remove(_dir+certname) if path.exists(_dir+keyname): remove(_dir+keyname) key = PKey() key.generate_key(TYPE_RSA, 4096) cert = X509() cert.set_serial_number(uuid4().int) cert.set_version(2) cert.get_subject().C = "US" cert.get_subject().ST = "WA" cert.get_subject().L = "127.0.0.1" cert.get_subject().O = "github.com/qeeqbox/analyzer" cert.get_subject().OU = "github.com/qeeqbox/analyzer" cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer" cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),]) cert.sign(key, 'sha256') with open(_dir+certname, 'wb') as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(_dir+keyname, 'wb') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) return True return False
def _generate_ca(self): # Crea KEY de tipo RSA self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Crea Certificado X509 self.cert = X509() self.cert.set_version(3) # Le puse 10000 no se por que self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.proxymitm.com' self.cert.gmtime_adj_notBefore(0) #Tiempo de duracion del certificado self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) #Atributos del ceriticado self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert))
def pem_cert_bytes_to_open_ssl_x509(cert: bytes) -> X509: """Convert PEM-formatted certificate bytes into an X509 instance usable for cert chain validation """ cert_crypto = load_pem_x509_certificate(cert, default_backend()) cert_openssl = X509().from_cryptography(cert_crypto) return cert_openssl
def get_cert_path(self, cn): cnp = os.path.sep.join( [self.cache_dir, '%s-%s.pem' % (self.CERT_PREFIX, cn)]) if os.path.exists(cnp): print("Cert already exists common_name=%s" % cn) else: print("Creating and signing cert common_name=%s" % cn) key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(123) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) print("Created cert common_name=%s location=%s" % (cn, cnp)) return cnp
def verify_signature(signature_input, signature, pubkey_pem, digest_algo='sha256'): '''Verify if `signature` over `signature_input` was created using `digest_algo` by the private key of the `pubkey_pem`. A signature is the private key encrypted hash over the signature input data. Args: signature_input(bytes): signed data signature(bytes): pubkey_pem(str): PEM formatted pubkey digest_algo(str): name of the used digest hash algorithm (default: 'sha256') Return: True, if signature could be verified False, else ''' cryptography_key = serialization.load_pem_public_key(pubkey_pem, backend) pkey = pkey_from_cryptography_key(cryptography_key) auxiliary_cert = X509() auxiliary_cert.set_pubkey(pkey) try: verify(cert=auxiliary_cert, signature=signature, data=signature_input, digest=digest_algo) except OpenSSL_crypto_Error: return False return True
def make_cert(filename, cacert=None, cakey=None): key = PKey() key.generate_key(TYPE_RSA, 2048) cert = X509() subject = cert.get_subject() subject.C = b"TR" subject.ST = b"Çorum" subject.L = b"Başmakçı" subject.CN = b"localhost" subject.O = b"Mozilla Test" subject.OU = b"Autopush Test %s" % filename subject.emailAddress = b"*****@*****.**" subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost') cert.add_extensions([subjectAltName]) cert.set_serial_number(uuid.uuid4().int) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100) cert.set_pubkey(key) if not cacert: # self sign cacert = cert cakey = key cert.set_issuer(cacert.get_subject()) cert.sign(cakey, 'sha1') with open(filename, 'wb') as fp: fp.write(dump_privatekey(FILETYPE_PEM, key)) fp.write(dump_certificate(FILETYPE_PEM, cert)) return cert, key
def _gen_ca(self, again=False): # Generate key if os.path.exists(self.ca_file_path) and os.path.exists( self.cert_file_path) and not again: self._read_ca(self.ca_file_path) return self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(2) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'CachingProxy' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert)) with open(self.cert_file_path, 'wb+') as f: f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _sign_ca(self, cn, cnp): # 使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions([X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e)))
def _generate_ca(self): ''' This function generates the certificate authority file ''' # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.mitm.com' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha1") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert))
def test_issue_certificate_with_csr(self): """ Tests issuance of a certificate """ cmd = issueCertificate.issueCertificateCmd() cmd.csr = "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCByQIBADBkMQswCQYDVQQGEwJJTjELMAkGA1UECAwCSFIxETAPBgNVBAcM\nCEd1cnVncmFtMQ8wDQYDVQQKDAZBcGFjaGUxEzARBgNVBAsMCkNsb3VkU3RhY2sx\nDzANBgNVBAMMBnYtMS1WTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD46KFWKYrJ\nF43Y1oqWUfrl4mj4Qm05Bgsi6nuigZv7ufiAKK0nO4iJKdRa2hFMUvBi2/bU3IyY\nNvg7cdJsn4K9AgMBAAGgADANBgkqhkiG9w0BAQUFAANBAIta9glu/ZSjA/ncyXix\nyDOyAKmXXxsRIsdrEuIzakUuJS7C8IG0FjUbDyIaiwWQa5x+Lt4oMqCmpNqRzaGP\nfOo=\n-----END CERTIFICATE REQUEST-----" cmd.provider = 'root' response = self.apiclient.issueCertificate(cmd) self.assertTrue(response.privatekey is None) self.assertTrue(len(response.cacertificates) > 0) self.assertTrue(len(response.certificate) > 0) cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend()) # Validate basic certificate attributes self.assertEqual(cert.signature_hash_algorithm.name, 'sha256') self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'v-1-VM') # Validate certificate against CA public key global PUBKEY_VERIFY if not PUBKEY_VERIFY: return caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend()) x = X509() x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)))) verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
def test_issue_certificate_without_csr(self): """ Tests issuance of a certificate """ cmd = issueCertificate.issueCertificateCmd() cmd.domain = 'apache.org,cloudstack.apache.org' cmd.ipaddress = '10.1.1.1,10.2.2.2' cmd.provider = 'root' response = self.apiclient.issueCertificate(cmd) self.assertTrue(len(response.privatekey) > 0) self.assertTrue(len(response.cacertificates) > 0) self.assertTrue(len(response.certificate) > 0) cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend()) # Validate basic certificate attributes self.assertEqual(cert.signature_hash_algorithm.name, 'sha256') self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'apache.org') # Validate alternative names altNames = cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME) for domain in cmd.domain.split(','): self.assertTrue(domain in altNames.value.get_values_for_type(x509.DNSName)) for address in cmd.ipaddress.split(','): self.assertTrue(address in map(lambda x: str(x), altNames.value.get_values_for_type(x509.IPAddress))) # Validate certificate against CA public key global PUBKEY_VERIFY if not PUBKEY_VERIFY: return caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend()) x = X509() x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)))) verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
def verify_sig(data, sig, public_key): """ Verify a signature """ # HACK b/c openssl expects an X509 object cert = X509() cert.set_pubkey(public_key) return verify(cert, sig, data, HASH_TYPE)
def check_authorized(signature, public_key, payload): """Reformat PEM-encoded public key for pyOpenSSL, verify signature. See: https://docs.travis-ci.com/user/notifications/#Verifying-Webhook-requests """ pkey_public_key = load_publickey(FILETYPE_PEM, public_key) certificate = X509() certificate.set_pubkey(pkey_public_key) verify(certificate, signature, payload, str('sha1'))
def check_authorized(self, signature, public_key, payload): """ Convert the PEM encoded public key to a format palatable for pyOpenSSL, then verify the signature """ pkey_public_key = load_publickey(FILETYPE_PEM, public_key) certificate = X509() certificate.set_pubkey(pkey_public_key) verify(certificate, signature, payload, str('sha1'))
def logHeader(): popen_list = [sys.executable, lazylibrarian.FULL_PATH] popen_list += lazylibrarian.ARGS header = "Startup cmd: %s\n" % str(popen_list) header += 'Interface: %s\n' % lazylibrarian.CONFIG['HTTP_LOOK'] header += 'Loglevel: %s\n' % lazylibrarian.LOGLEVEL for item in lazylibrarian.CONFIG_GIT: header += '%s: %s\n' % (item.lower(), lazylibrarian.CONFIG[item]) header += "Python version: %s\n" % sys.version.split('\n') # noinspection PyDeprecation header += "Distribution: %s\n" % str(platform.dist()) header += "System: %s\n" % str(platform.system()) header += "Machine: %s\n" % str(platform.machine()) header += "Platform: %s\n" % str(platform.platform()) header += "uname: %s\n" % str(platform.uname()) header += "version: %s\n" % str(platform.version()) header += "mac_ver: %s\n" % str(platform.mac_ver()) header += "openssl: %s\n" % getattr(ssl, 'OPENSSL_VERSION', None) header += "requests: %s\n" % getattr(requests, '__version__', None) if not lazylibrarian.GROUP_CONCAT: # 3.5.4 is the earliest version with GROUP_CONCAT which we use, but is not essential header += 'sqlite3: missing required functionality. Try upgrading to v3.5.4 or newer. You have ' header += "sqlite3: %s\n" % getattr(sqlite3, 'sqlite_version', None) try: # pyOpenSSL 0.14 and above use cryptography for OpenSSL bindings. The _x509 # attribute is only present on those versions. # noinspection PyUnresolvedReferences import OpenSSL # noinspection PyUnresolvedReferences from OpenSSL.crypto import X509 x509 = X509() if getattr(x509, "_x509", None) is None: header += "pyOpenSSL: module missing required functionality. Try upgrading to v0.14 or newer. You have " header += "pyOpenSSL: %s\n" % getattr(OpenSSL, '__version__', None) from OpenSSL import SSL except ImportError: header += "pyOpenSSL: module missing\n" try: import OpenSSL.SSL except (ImportError, AttributeError) as e: header += 'OpenSSL missing module/attribute: %s\n' % e try: # get_extension_for_class method added in `cryptography==1.1`; not available in older versions # but need cryptography >= 1.3.4 for access from pyopenssl >= 0.14 # noinspection PyUnresolvedReferences import cryptography # noinspection PyUnresolvedReferences from cryptography.x509.extensions import Extensions if getattr(Extensions, "get_extension_for_class", None) is None: header += "cryptography: module missing required functionality. Try upgrading to v1.3.4 or newer. You have " header += "cryptography: %s\n" % getattr(cryptography, '__version__', None) except ImportError: header += "cryptography: module missing\n" return header
def setup_class(cls): cls.intermediate_cert = load_certificate(FILETYPE_PEM, cls.intermediate_certificate_pem) cls.pub_cert = load_certificate(FILETYPE_PEM, cls.apple_root_cert_pem) cls.priv_key = load_privatekey(FILETYPE_PEM, cls._root_key_pem) cls.priv_key_spoof = PKey() cls.priv_key_spoof.generate_key(TYPE_RSA, 1024) cls.pub_cert_spoof = X509() cls.pub_cert_spoof.set_pubkey(cls.priv_key_spoof)
def check_exception(self): """ Call the method repeatedly such that it will raise an exception. """ for i in xrange(self.iterations): cert = X509() try: cert.get_pubkey() except Error: pass
def _sign_csr(self, key, req): cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') return cert
def sign_certificate_request(self, cert_req: X509Req, serial_number: int) -> X509: cert = X509() cert.set_issuer(self.__cert.get_subject()) cert.set_pubkey(cert_req.get_pubkey()) cert.set_subject(cert_req.get_subject()) cert.set_serial_number(serial_number) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.sign(self.__pkey, "sha256") return cert
def verifyFunction(self,absolutePathWithText, absolutePathWithPubKey, absolutePathWithSig): pk = self.loadPublicKey(absolutePathWithPubKey) x509 = X509() x509.set_pubkey(pk) signature = open(absolutePathWithSig, 'rb').read() try: if (verify(x509, signature, open(absolutePathWithText).read(), 'sha256') == None): print("验证成功") except: print("验证失败!")
def _create_cert(self, pkey, commonname, serial, extensions, **kwargs): """ Create a certificate Arguments: pkey -- the key pair for the certificate commonname -- the common name for the certificate subject serial -- the certificate serial number extensions -- the X509Ext list Keywords arguments: expire -- the number for days the certificate is valid (default 365) version -- the version number for the certificate (default 1) """ expire_kw = 'expire' if expire_kw in kwargs: expire = kwargs[expire_kw] else: expire = 365 version_kw = 'version' if version_kw in kwargs: version = kwargs[version_kw] else: version = 1 now = datetime.utcnow() cert = X509() cert.get_subject().CN = commonname cert.get_issuer().CN = self.commonname startdate = now.strftime('%Y%m%d%H%M%SZ') cert.set_notBefore(startdate.encode('ascii')) enddate = (now + timedelta(expire)).strftime('%Y%m%d%H%M%SZ') cert.set_notAfter(enddate.encode('ascii')) cert.set_pubkey(pkey) cert.set_serial_number(serial) cert.set_version(version) if extensions: cert.add_extensions(extensions) self._sign_cert(cert) cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode() cert_path = self._get_cert_path(commonname, serial) with open(cert_path, 'w') as cert_file: cert_file.writelines(get_pretty_subject(cert)) cert_file.writelines(cert_pem) cert_link = self._get_cert_link(commonname) if os.path.exists(cert_link): os.unlink(cert_link) os.symlink(os.path.basename(cert_path), cert_link) return cert
def make_cert(req: X509Req, ca_pkey: PKey) -> X509: cert = X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.set_notBefore(x509_time(minutes=-1)) cert.set_notAfter(x509_time(days=30)) # noinspection PyTypeChecker cert.sign(ca_pkey, 'sha1') return cert
def create_certificate_from_csr(csr, issuer): x = X509() x.set_issuer(issuer.get_subject()) x.set_subject(csr.get_subject()) x.set_pubkey(csr.get_pubkey()) x.set_serial_number(1) now = datetime.datetime.utcnow() not_before = convert_timestamp(now) not_after = convert_timestamp(now + datetime.timedelta(days=365 * 5)) x.set_notBefore(not_before) x.set_notAfter(not_after) return x
def check_authorized(signature, payload): """ Convert the PEM encoded public key to a format palatable for pyOpenSSL, then verify the signature """ response = requests.get('https://api.travis-ci.org/config', timeout=10.0) response.raise_for_status() public_key = response.json( )['config']['notifications']['webhook']['public_key'] pkey_public_key = load_publickey(FILETYPE_PEM, public_key) certificate = X509() certificate.set_pubkey(pkey_public_key) verify(certificate, base64.b64decode(signature), payload, str('SHA1'))